CN110166256B - SM9 digital signature multi-party collaborative generation method and system with product r parameter - Google Patents

SM9 digital signature multi-party collaborative generation method and system with product r parameter Download PDF

Info

Publication number
CN110166256B
CN110166256B CN201910521921.5A CN201910521921A CN110166256B CN 110166256 B CN110166256 B CN 110166256B CN 201910521921 A CN201910521921 A CN 201910521921A CN 110166256 B CN110166256 B CN 110166256B
Authority
CN
China
Prior art keywords
digital signature
devices
message
parameter
product
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910521921.5A
Other languages
Chinese (zh)
Other versions
CN110166256A (en
Inventor
龙毅宏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Wuhan University of Technology WUT
Original Assignee
Wuhan University of Technology WUT
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wuhan University of Technology WUT filed Critical Wuhan University of Technology WUT
Priority to CN201910521921.5A priority Critical patent/CN110166256B/en
Publication of CN110166256A publication Critical patent/CN110166256A/en
Application granted granted Critical
Publication of CN110166256B publication Critical patent/CN110166256B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/085Secret sharing or secret splitting, e.g. threshold schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0861Generation of secret information including derivation or calculation of cryptographic keys or passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures

Abstract

The invention relates to SM9 digital signaturesThe generation method comprises the following steps: m devices numbered 1 to m hold [1, n-1 ] respectively]Integer secret c in (1)iN is the order of SM9 group, i is 1, …, m is more than or equal to 2; pA=[(c1+c2+…+cm)‑1]dA,PB=[b]dA,dAB is a private key of the user and is [1, n-1 ] unknown to all m devices]An integer secret within; when required to use dAWhen signing the message, the calculation results in w ═ gB^(r1r2…rm),h=H2(M||w,n),Q1=[(r2r3…rm)‑1]PA,Q2=[(r3…rm)‑1]PA,Qm‑1=[(rm)‑1]PATaking Qm=PA,S0=PB(ii) a m devices recursively calculating Si=[ri]Si‑1+[‑cih]QiLet S be SmThen (h, S) is a digital signature for the message.

Description

SM9 digital signature multi-party collaborative generation method and system with product r parameter
Technical Field
The invention belongs to the technical field of information security, and particularly relates to a SM9 digital signature multi-party collaborative generation method and system with a product r parameter.
Background
SM9 is an identification cryptographic algorithm issued by the national crypto authority based on bilinear mapping (pairing operation), wherein the bilinear mapping (pairing operation) is:
e:G1×G2→GTin which G is1、G2Is an additive cyclic group, GTIs a multiplication loop group, G1、G2、GTIs a prime number n (note: in the SM9 specification, G1、G2、GTThe order of (A) is given by the capital letter N, and the present application uses the lower case N), i.e. if P, Q, R are each G1、G2In (b), e (P, Q) is GTAnd:
e(P+R,Q)=e(P,Q)e(R,Q),
e(P,Q+R)=e(P,Q)e(P,R),
e(aP,bQ)=e(P,Q)ab
the SM 9-based cryptographic algorithm can realize digital signature based on identification, key exchange and data encryption. In the SM9 cryptographic algorithm, the user's SM9 private key d is usedAThe process of generating a digital signature for message M is as follows:
the calculation yields w ═ g ^ r, where the symbol ^ represents the power operation (the r-th power of g), and r is at [1, n-1 ^ r]Randomly selected integer within the interval, n being the group G of the SM9 cryptographic algorithm1、G2、GTG ═ e (P)1,Ppub),P1Is G1In (1)Generator, PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification; note that here the primary private key or key, the primary public key, the sign used by the user identification private key is slightly different from the SM9 specification);
then, H is calculated as H2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GT(iii) order (see SM9 specification);
if r ≠ h, calculate S [ [ r-h ≠ h]dAThen (h, S) is the generated digital signature; and if r is equal to h, reselecting r, and recalculating w and h until r is not equal to h.
For special requirements, for example, to ensure the security of the use of the private key of the user in a non-hardware environment, some methods for generating the SM9 digital signature based on secret sharing (sharing) have been proposed. In these methods, a plurality of devices each hold a secret share of the private key of the user SM9, or each hold a secret share of a secret related to the private key; when a digital signature needs to be generated for one message M by using a user private key, each device interacts and cooperates with other devices by using the secret share of the device, and the digital signature for the message is generated.
The existing SM9 digital signature collaborative generation scheme based on secret sharing usually calculates w ═ g ^ (a) in the process of cryptographic operation1r1+...+amrm) Wherein r isiIs the ith device in [1, n-1 ]]Of a randomly selected integer, and aiIs a constant, i 1.., m (assuming m devices); then H is calculated2(M | | w, n), and the last M devices obtain S ═ a [ (a) through cooperative calculation1r1+...+amrm)-h]dA. This solution is generally not problematic, but there may be a situation where (a) happens to occur1r1+...+amrm) mod n is 0 and this is observed by exactly one of the devices (e.g., by checking if w is a unit bit) but not reporting, then the device is configured to reportIt is possible to derive the user' S SM9 private key from the resulting digital signature (h, S). The probability of this occurring, although extremely small, is still likely to occur, particularly at riIn the case of a truly random selection, which is difficult to achieve.
The scheme adopted if the secret sharing-based digital signature collaborative generation scheme can achieve is w ═ g ^ (ar)1...rm),S=[(ar1...rm)-h]dAI.e. r herein1,...,rmAnd a constant a is present in the form of a product, then it is not present (ar)1...rm) In the case of mod n being 0, such a scheme has higher security. We here handle r1,...,rmAnd the case where the constant a occurs in the form of a product is referred to as the case of the product r parameter, and r in the process of generating the digital signature is referred to as the case of the product r parameter1,…,rmAnd an SM9 digital signature cooperative generation method in which the constant a appears in the form of a product, referred to as an SM9 digital signature cooperative generation method with a product r parameter.
Disclosure of Invention
The invention aims to provide an SM9 digital signature multi-party collaborative generation technical scheme for enhancing safety, namely an SM9 digital signature multi-party collaborative generation technical scheme with a product r parameter, so as to enhance the safety of the SM9 digital signature collaborative generation technical scheme based on secret sharing.
Aiming at the purpose of the invention, the technical scheme provided by the invention comprises an SM9 digital signature multi-party collaborative generation method with a product r parameter and a corresponding system.
In the following description of the present invention, if P, Q is addition group G1、G2Where P + Q represents the addition of P, Q to the addition group, P-Q represents the inverse of P plus Q (addition inverse), and k]P represents the addition of k P's to the addition group, i.e., P + P +. + P (k total P) (if k is a negative number, the inverse of the result of the addition of | k | P's, where [, ]]The use of symbols is consistent with the SM9 specification);
an ellipsis ". -" represents a plurality of identical (types of) data items or a plurality of identical operations;
if a,b is a multiplicative group GTWhere ab or a.b represents a, b in the multiplicative group GTMultiplication of (a, ". may be omitted, as long as it does not produce ambiguity), a-1Indicates that a is an inverse of a (multiplicative inverse) in a multiplicative group, atIndicates t a are in multiplicative group GTUp-multiplication (t is a negative number, and is the inverse of | t | the multiplication result of a), i.e. exponentiation, atIs a ^ t;
if c is an integer, then c-1Representing the modulo n inverse of integer c (i.e., cc)-1mod n ═ 1); unless otherwise specified, the multiplicative inverse of the integer in the invention of this patent is for group G1、G2、GTThe modulo n multiplication inverse of order n;
multiple integer multiplications (including integer-symbol multiplications, constant-integer-symbol multiplications), omitting the multiplication "·" as k, without ambiguity1·k2Simplified as k1k23 · c, reduced to 3 c;
mod n denotes the modulo n operation (modulo operation), corresponding to modN in the SM9 specification; also, the operator mod n of the modulo n operation is of lowest priority, e.g., a + b mod n equals (a + b) mod n, a-b mod n equals (a-b) mod n, ab mod n equals (ab) mod n.
The SM9 digital signature multi-party collaborative generation method with the product r parameter provided by the invention is concretely as follows.
The method relates to m devices which are respectively marked as No. 1, No. 2, No. until No. m, wherein m is more than or equal to 2;
device No. i holds [1, n-1 ]]Integer secret c within intervali1.. m, where n is group G in the SM9 cryptographic algorithm1、G2、GTIs a prime number, and (c)1+c2+...+cm)mod n≠0;
(initialization phase) pre-calculated are:
PA=[c-1]dAwherein d isAIdentify the private key for the user's SM9, c-1Modulo n multiplication inverse of c, c ═ c1+c2+...+cm) mod n is m devices without guaranteesA stored integer secret;
PB=[b]dAwherein b is [1, n-1 ]]None of the m devices within the interval have a saved integer secret;
b and c-1Need not be different (different or the same);
gBg ^ b, where ^ is the exponentiation (exponentiation on the elements in front of ^ followed by the number of exponentiations), g ^ e (P ^ b)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification);
none of the m devices store dA
When it is desired to use the user's SM9 to identify the private key dAWhen digitally signing a message M, M devices generate digital signatures as follows (the user's SM9 identification private key d needs to be usedAThe body that digitally signs for message M may be a cryptographic application, system or cryptographic module that invokes the M devices, or a cryptographic application, system in one of the M devices):
firstly, m devices obtain w ═ g through interactive calculationB^(r1r2...rm) Wherein r isiThe device No. i is in [1, n-1 ] in the calculation process]An integer randomly selected within the interval, i ═ 1.., m;
then, H ═ H is calculated (by one of the m devices or the other device)2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GTThe order of (1);
(h free transfer as required without privacy)
Checking whether w is equal to g ^ h or not (one or other of the m devices), and if w is equal to g ^ h, the m devices perform calculation of w again until w is not equal to g ^ h;
then, Q is calculated1=[(r2r3...rm)-1]PA,Q2=[(r3...rm)-1]PA,...,Qm-1=[(rm)-1]PATaking Qm=PA
Get S0=PB
Device number 1 calculates S1=[r1]S0+[-c1h]Q1Wherein r is1And r when calculating w1Same, then S1To device No. 2;
the device No. i receives Si-1Then, if S is found by inspection, i is 2i-1If it is zero, error is reported, otherwise S is calculatedi=[ri]Si-1+[-cih]QiWherein r isiAnd r when calculating wiThe same;
if i is m, then S is Sm(h, S) is the generated digital signature for the message M, otherwise, S isiTransmitting to the device No. i +1 until S is completedmAnd (4) calculating.
(where S is [ r ]1r2...rm]PB+[-c1hr2...rm]Q1+[-c2hr3...rm]Q2+...+[-cm-1hrm]Qm-1+[-cmh]Qm=[r1r2...rm]PB+[-(c1+c2+...+cm)h]PA=[(r1r2...rm)b-h]dA)
For the above-mentioned SM9 digital signature multiparty collaborative generation method with the product r parameter, m devices calculate w-gB^(r1r2...rm) The method of (1) comprises (not all possible ways):
device No. 1 calculates g1=gB^r1G is mixing1Transmitting device No. 2;
the device No. i receives gi-1Then, i is 2i=gi-1^ri
If i is m, then w is gmFinish the calculation, otherwise, get the device g No. iiTransmitting to the device No. i + 1;
alternatively, the first and second electrodes may be,
device m calculates gm=gB^rmG is mixingmTransmitting the m-1 device;
the ith device receives gi+1Then, i ═ m-1, calculate gi=gi+1^ri
If i is 1, then w is g1Finish the calculation, otherwise, get the device g No. iiTo the device No. i-1.
For the above-mentioned SM9 digital signature multi-party collaborative generation method with the product r parameter, if it is not checked whether w is equal to g ^ h or not in the calculation process, after S is obtained by calculation, if (one or other devices of m devices) it is checked that S is zero, m devices perform collaborative calculation again until S is not zero.
For the SM9 digital signature multi-party collaborative generation method with the product r parameter, Q is obtained through calculation1=[(r2r3...rm)-1]PA,Q2=[(r3...rm)-1]PA,...,Qm-1=[(rm)-1]PAOne way of (2) is as follows:
device No. m takes Qm=PACalculating Qm-1=[(rm)-1]QmIs mixing Q withm-1Sending the data to the device No. m-1;
device i receives QiThen, if i is m-1, …,1, and if i is 1, the device No. 1 will Q1Temporarily reserved, complete Q1,Q2,...,Qm-1Otherwise, the ith device calculates Qi-1=[(ri)-1]QiIs mixing Q withiTemporarily reserve, Qi-1To the device No. i-1.
Multi-party collaborative generator for SM9 digital signature with product r parameter as described aboveMethod if take cm1 is equal to 0 andAstored as a secret by the m-th device, and b ≠ c-1(i.e. P)B≠PA) Then S is obtained by calculation according to the methodm(in this case [ -c ]mh]QmZero) device m gets S ═ SmAnd (h, S) is checked as validity of the digital signature of the message M, if valid, (h, S) is the digital signature for the message M, otherwise, the mth device reports an error.
On the basis of the SM9 digital signature multi-party collaborative generation method with the product r parameter, an SM9 digital signature collaborative generation system can be constructed, wherein the system comprises m devices which are respectively marked as No. 1, No. 2,. to No. m, and m is more than or equal to 2; device No. i holds [1, n-1 ]]Integer secret c within intervaliI 1.., m; when it is desired to use the user's SM9 to identify the private key dAWhen the message M is digitally signed, the M devices generate the digital signature aiming at the message M according to the SM9 digital signature multiparty collaborative generation method with the product r parameter; in particular, if c is takenmIs equal to 0, and P isAStored as a secret by the m-th device, and b ≠ c-1(i.e. P)B≠PA) Then S is calculated according to the SM9 digital signature multiparty collaborative generation method with the product r parameterm(in this case [ -c ]mh]QmZero) device m gets S ═ SmAnd (h, S) is checked as validity of the digital signature of the message M, if valid, (h, S) is the digital signature for the message M, otherwise, the mth device reports an error.
From the foregoing description, it can be seen that by the method and system of the present invention, the user identification private key d is used when neededAWhen the message is digitally signed, the plurality of devices can cooperatively generate the digital signature aiming at the message through interaction, and the product r parameter is adopted in the cooperative computing process, so that the method has higher safety.
Drawings
None.
Detailed Description
The present invention will be further described with reference to the following examples. The following examples are merely illustrative of a few possible embodiments of the present invention and are not intended to represent all possible embodiments and are not intended to limit the present invention.
Examples 1,
This embodiment has two devices numbered 1 and 2, device number 1 holding [1, n-1 [ ]]Integer secret c within interval1Device No. 2 stores [1, n-1 ]]Integer secret c within interval2Where n is group G in the SM9 cryptographic algorithm1、G2、GTIs a prime number, and (c)1+c2)mod n≠0;
(initialization phase) pre-calculated are:
PA=[c-1]dAwherein d isAIdentify the private key for the user's SM9, c-1Modulo n multiplication inverse of c, c ═ c1+c2) mod n is an integer secret that neither device holds;
PB=[b]dAwherein b is [1, n-1 ]]None of the m devices within the interval have a saved integer secret;
b and c-1Need not be different (different or the same);
gBg ^ b, where ^ is the exponentiation (exponentiation on the elements in front of ^ followed by the number of exponentiations), g ^ e (P ^ b)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification);
neither device stores dA
When it is desired to use the user's SM9 to identify the private key dAWhen the message M is digitally signed, the two devices firstly obtain w ═ g through interactive calculationB^(r1r2) Wherein r is1Is the device No. 1 in [1, n-1 ]]Randomly selected integer within the interval, r2Is the device No. 2 in [1, n-1 ]]Randomly selected integers within the interval;
then, H ═ H is calculated (by one of the two devices or the other device)2(M | | w, n), whichMiddle H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GTThe order of (1);
checking whether w is equal to g ^ h or not (one or other of the two devices), and if w is equal to g ^ h, the two devices perform calculation of w again until w is not equal to g ^ h;
then, Q is calculated1=[(r2)-1]PATaking Q2=PA
Get S0=PB
Device number 1 calculates S1=[r1]S0+[-c1h]Q1Wherein r is1And r when calculating w1Same, then S1To device No. 2;
device number 2 receives S1Then, if the inspection finds S1If it is zero, error is reported, otherwise S is calculated2=[r2]S1+[-c2h]Q2Wherein r is2And r when calculating w2The same;
taking S as S2Then (h, S) is a digital signature for message M.
(where S is [ r ]1r2]PB+[-c1hr2]Q1+[-c2h]Q2=[r1r2]PB+[-(c1+c2)h]PA
=[(r1r2)b-h]dA)
For this embodiment, during the initialization phase, d may be knownAIn (one of the two devices or one device other than the two devices) at [1, n-1 ]]In the random selection of two integers c1、c2Checking (c)1+c2) Whether mod n is 0 or not, and if so, at [1, n-1]Internal reselection of two integers c1、c2Up to (c)1+c2) mod n is not 0;
if (c)1+c2) mod n is not 0, then c is1、c2Respectively handed overDevices No. 1 and No. 2 are kept as secrets;
then, know dAMeans for calculating PA=[c-1]dAWherein c is-1Modulo n multiplication inverse of c, c ═ c1+c2) mod n; in [1, n-1 ]]Randomly selecting an integer b, and calculating PB=[b]dA
Finally P is addedA、PBC, b and d are delivered to a required device for useAAnd (4) destroying.
Examples 2,
This embodiment has m devices numbered 1, 2, through m ≧ 2, where device # i holds [1, n-1 ]]Integer secret c within intervali1.. m, where n is group G in the SM9 cryptographic algorithm1、G2、GTIs a prime number, and (c)1+c2+...+cm)mod n≠0;
(initialization phase) pre-calculated are:
PA=[c-1]dAwherein d isAIdentify the private key for the user's SM9, c ═ c1+c2+...+cm) mod n is an integer secret that is not held by all m devices, c-1The modulo-n multiplication inverse of c;
PB=[b]dAwherein b is [1, n-1 ]]None of the m devices within the interval have a saved integer secret;
b and c-1Need not be different (different or the same);
gBg ^ b, where ^ is the exponentiation (exponentiation on the elements in front of ^ followed by the number of exponentiations), g ^ e (P ^ b)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification);
none of the m devices store dA
When it is desired to use the user's SM9 to identify the private key dAFor message MWhen in digital signature, m devices firstly obtain w-g through interactive calculationB^(r1r2...rm) Wherein r isiThe device No. i is in [1, n-1 ] in the calculation process]An integer randomly selected within the interval, i ═ 1.., m;
then, H ═ H is calculated (by one of the m devices or the other device)2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GTThe order of (1);
(h free transfer as required without privacy)
Checking whether w is equal to g ^ h or not (one or other of the m devices), and if w is equal to g ^ h, the m devices perform calculation of w again until w is not equal to g ^ h;
then, Q is calculated1=[(r2r3...rm)-1]PA,Q2=[(r3...rm)-1]PA,...,Qm-1=[(rm)-1]PATaking Qm=PA
Get S0=PB
Device number 1 calculates S1=[r1]S0+[-c1h]Q1Wherein r is1And r when calculating w1Same, then S1To device No. 2;
the device No. i receives Si-1Then, if S is found by inspection, i is 2i-1If it is zero, error is reported, otherwise S is calculatedi=[ri]Si-1+[-cih]QiWherein r isiAnd r when calculating wiThe same;
if i is m, then S is Sm(h, S) is the generated digital signature for the message M, otherwise, S isiTo the device No. i + 1.
(where S is [ r ]1r2...rm]PB+[-c1hr2...rm]Q1+[-c2hr3...rm]Q2+...+[-cm-1hrm]Qm-1+[-cmh]Qm=[r1r2...rm]PB+[-(c1+c2+...+cm)h]PA=[(r1r2...rm)b-h]dA)
For this embodiment, during the initialization phase, d may be knownAIn (one or more than one of the m devices) at [1, n-1 ]]In the random selection of m integers ciI 1.., m, inspection (c)1+c2+...+cm) Whether mod n is 0 or not, and if so, at [1, n-1]Reselecting m integers until (c)1+c2+...+cm) mod n is not 0;
if (c)1+c2+...+cm) mod n is not 0, then c isiThe device I is handed to the device I to be kept as a secret, i is 1.
Then knows dAMeans for calculating PA=[c-1]dAWherein c is-1Modulo n multiplication inverse of c, c ═ c1+c2+...+cm)mod n;
Then knows dAIn [1, n-1 ]]Randomly selecting an integer b, and calculating PB=[b]dA
Finally P is addedA、PBC, b, d to the required deviceAAnd (4) destroying.
Examples 3,
This embodiment has two devices numbered 1 and 2, device number 1 holding [1, n-1 [ ]]Integer secret c within interval1Where n is group G in the SM9 cryptographic algorithm1、G2、GTThe order of (is a prime number); device number 2 holds a secret PA=[(c1)-1]dA(at this time c20) where d isAIdentify private key for user's SM9, (c)1)-1Is c1The inverse of the modulo n multiplication of;
(initialization phase) pre-calculated are:
PB=[b]dAwherein b is [1, n-1 ]]None of the m devices within the interval have a saved integer secret;
b and (c)1)-1Different;
gBg ^ b, where ^ is the exponentiation (exponentiation on the elements in front of ^ followed by the number of exponentiations), g ^ e (P ^ b)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification);
neither device stores dA
When it is desired to use the user's SM9 to identify the private key dAWhen the message M is digitally signed, the two devices firstly obtain w ═ g through interactive calculationB^(r1r2) Wherein r is1Is the device No. 1 in [1, n-1 ]]Randomly selected integer within the interval, r2Is the device No. 2 in [1, n-1 ]]Randomly selected integers within the interval;
then, H ═ H is calculated (by one of the two devices or the other device)2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GTThe order of (1);
checking whether w is equal to g ^ h or not (one or other of the two devices), and if w is equal to g ^ h, the two devices perform calculation of w again until w is not equal to g ^ h;
then, Q is calculated1=[(r2)-1]PA
Get S0=PB
Device number 1 calculates S1=[r1]S0+[-c1h]Q1Wherein r is1And r when calculating w1Same, then S1To device No. 2;
device number 2 receives S1Then, if the inspection finds S1If it is zero, error is reported, otherwise S is calculated2=[r2]S1(at this time c20) where r is2And r when calculating w2The same;
device No. 2 gets S ═ S2And checking the validity of the digital signature of the message M as (h, S), wherein if the digital signature of the message M is valid, (h, S) is the digital signature of the message M, and otherwise, the device No. 2 reports an error.
(where S is [ r ]1r2]PB+[-c1r2h]Q1=[r1r2]PB+[-c1h]PA=[(r1r2)b-h]dA)
For this embodiment, during the initialization phase, d may be knownAIn (one of the two devices or one device other than the two devices) at [1, n-1 ]]In the random selection of an integer c1C is mixing1The information is handed to the No. 1 device to be kept as secret; calculating PA=[(c1)-1]dAA 1 is to PADelivered to device number 2 for secret storage (at this point c)20); knowing dAIn [1, n-1 ]]An integer b is selected at random within the sequence and b ≠ (c)1)-1Calculate PB=[b]dAA 1 is to PBB, d are delivered to a required deviceAAnd (4) destroying.
Examples 4,
This embodiment has m devices numbered 1, 2, through m, where m is 2 or more, and 1 through m-1 have [1, n-1 ] stored therein]Integer secret c within intervali1., m-1, where n is group G in the SM9 cryptographic algorithm1、G2、GTIs a prime number, and (c)1+c2+...+cm-1) mod n ≠ 0; no. m device holds secret PA=[c-1]dAWherein d isAIdentify the private key for the user's SM9, c-1Modulo n multiplication inverse of c, c ═ c1+c2+...+cm-1)mod n;
(initialization phase) pre-calculated are:
PB=[b]dAwherein b isIs [1, n-1 ]]None of the m devices within the interval have a saved integer secret;
b and c-1Different;
gBg ^ b, where ^ is the exponentiation (exponentiation on the elements in front of ^ followed by the number of exponentiations), g ^ e (P ^ b)1,Ppub),P1Is G1The generator of (1), PpubIs the master public key (i.e. P)pub=[s]P2S is a master private or master key, P2Is G2See SM9 specification);
none of the m devices store dA
When it is desired to use the user's SM9 to identify the private key dAWhen a digital signature is performed on a message M, M devices firstly obtain w ═ g through interactive calculationB^(r1r2...rm) Wherein r isiThe device No. i is in [1, n-1 ] in the calculation process]An integer randomly selected within the interval, i ═ 1.., m;
then, H ═ H is calculated (by one of the m devices or the other device)2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GTThe order of (1);
(h free transfer as required without privacy)
Checking whether w is equal to g ^ h or not (one or other of the m devices), and if w is equal to g ^ h, the m devices perform calculation of w again until w is not equal to g ^ h;
then, Q is calculated1=[(r2r3...rm)-1]PA,Q2=[(r3…rm)-1]PA,...,Qm-1=[(rm)-1]PATaking Qm=PA
Get S0=PB
Device number 1 calculates S1=[r1]S0+[-c1h]Q1Wherein r is1And r when calculating w1Same, howeverWill S1To device No. 2;
the device No. i receives Si-1Then, if S is found by inspection, i is 2i-1If it is zero, error is reported, otherwise S is calculatedi=[ri]Si-1+[-cih]QiWherein r isiAnd r when calculating wiThe same; where if i is m, cm=0;
If i is m, then S is ended1,S2,...,SmOtherwise, will SiTransmitting to the device No. i + 1;
device m gets S ═ SmAnd checking the validity of the digital signature of the message M as (h, S), if the digital signature of the message M is valid, (h, S) is the digital signature of the message M, and otherwise, the M-th device reports an error.
(where S is [ r ]1r2...rm]PB+[-c1hr2...rm]Q1+[-c2hr3...rm]Q2+...+[-cm-1hrm]Qm-1=[r1r2…rm]PB+[-(c1+c2+...+cm-1)h]PA=[(r1r2...rm)b-h]dA)
For this embodiment, during the initialization phase, d may be knownAIn (one or more than one of the m devices) at [1, n-1 ]]In the random selection of m-1 integers ci1, m-1, check (c)1+c2+...+cm-1) Whether mod n is 0 or not, and if so, at [1, n-1]Reselecting m-1 integers until (c)1+c2+...+cm-1) mod n is not 0;
if (c)1+c2+...+cm-1) mod n is not 0, then c isiThe device No. i is handed over to be kept as a secret, i 1m=0);
Then knows dAMeans for calculating PA=[c-1]dAWherein c is-1Modulo n multiplication inverse of c, c ═ c1+c2+...+cm-1)mod n;
Then knows dAIn [1, n-1 ]]In the sequence, an integer b is randomly selected and b is not equal to c-1Calculate PB=[b]dA
Finally P is addedADelivering to the m-th device as secret to store PBGiving the required devices c, b and dAAnd (4) destroying.
In the above examples 1-4, m devices calculated w ═ gB^(r1r2...rm) The method of (1) comprises (not all possible ways):
device No. 1 calculates g1=gB^r1G is mixing1Transmitting device No. 2;
the device No. i receives gi-1Then, i is 2i=gi-1^ri
If i is m, w is gmFinish the calculation, otherwise, get the device g No. iiTransmitting to the device No. i + 1;
alternatively, the first and second electrodes may be,
device m calculates gm=gB^rmG is mixingmTransmitting the m-1 device;
the ith device receives gi+1Then, i ═ m-1, calculate gi=gi+1^ri
If i is 1, w is g1Finish the calculation, otherwise, get the device g No. iiTo the device No. i-1.
In the above embodiments 1-4, if it is not checked whether w is equal to g ^ h or not during the calculation process, after S is obtained through calculation, if S is found to be zero, m devices perform the cooperative calculation again until S is not zero.
In the above examples 1 to 4, Q was calculated1=[(r2r3...rm)-1]PA,Q2=[(r3...rm)-1]PA,...,Qm-1=[(rm)-1]PAIn a manner asThe following:
device No. m takes Qm=PACalculating Qm-1=[(rm)-1]QmIs mixing Q withm-1Sending the data to the device No. m-1;
device i receives QiThen, if i is equal to 1, device No. 1 will Q1Temporarily reserved, complete Q1,Q2,...,Qm-1Otherwise, the ith device calculates Qi-1=[(ri)-1]QiIs mixing Q withiTemporarily reserve, Qi-1To the device No. i-1.
According to the SM9 digital signature multi-party collaborative generation method with the product r parameter, a corresponding SM9 digital signature collaborative generation system can be constructed, the system comprises m devices which are respectively marked as No. 1, No. 2, and No. 2, wherein m is more than or equal to 2; device No. i holds [1, n-1 ]]Integer secret c within intervaliI 1.., m; when it is desired to use the user's SM9 to identify the private key dAWhen the message M is digitally signed, the M devices generate the digital signature aiming at the message M according to the SM9 digital signature multiparty collaborative generation method with the product r parameter; in particular, if c is takenmIs equal to 0, and P isAStored as a secret by the m-th device, and b ≠ c-1(i.e. P)B≠PA) Then S is calculated according to the SM9 digital signature multiparty collaborative generation method with the product r parameterm(in this case [ -c ]mh]QmZero) device m gets S ═ SmAnd (h, S) is checked as validity of the digital signature of the message M, if valid, (h, S) is the digital signature for the message M, otherwise, the mth device reports an error.
Other specific technical implementations not described are well known to those skilled in the relevant art and will be apparent to those skilled in the relevant art.

Claims (6)

1. An SM9 digital signature multi-party collaborative generation method with a product r parameter is characterized in that:
the method involves m devices numbered 1, 2, …, respectively, up to m, where m is greater than or equal to 2;
device No. i holds [1, n-1 ]]Integer secret c within intervaliI is 1, …, m, where n is group G in the SM9 cryptographic algorithm1、G2、GTA step of (a), (b), and (c)1+c2+…+cm)mod n≠0;
The method comprises the following steps:
PA=[c-1]dAwherein d isAIdentify the private key for the user's SM9, c-1Modulo n multiplication inverse of c, c ═ c1+c2+…+cm) mod n is an integer secret that is not held by all m devices;
PB=[b]dAwherein b is [1, n-1 ]]None of the m devices within the interval have a saved integer secret;
b and c-1Do not have to be different;
gBg ^ b, where ^ b is an exponentiation, g ^ e (P)1,Ppub),P1Is G1The generator of (1), PpubIs a master public key;
none of the m devices store dA
When it is desired to use the user's SM9 to identify the private key dAWhen a digital signature is performed on a message M, M devices generate digital signatures as follows:
firstly, m devices obtain w ═ g through interactive calculationB^(r1r2…rm) Wherein r isiThe device No. i is in [1, n-1 ] in the calculation process]Randomly selected integer in the interval, i ═ 1, …, m;
then, H is calculated as H2(M | | w, n), wherein H2For the hash function specified in SM9, M | | | w represents the merging of strings of M and w, and n is G1、G2、GTThe order of (1);
checking whether w is equal to g ^ h or not, if w is equal to g ^ h, the m devices carry out calculation of w again until w is not equal to g ^ h;
then, Q is calculated1=[(r2r3…rm)-1]PA,Q2=[(r3…rm)-1]PA,…,Qm-1=[(rm)-1]PATaking Qm=PA
Get S0=PB
Device number 1 calculates S1=[r1]S0+[-c1h]Q1Wherein r is1And r when calculating w1Same, then S1To device No. 2;
the device No. i receives Si-1When i is 2, …, m, S is found by examinationi-1If it is zero, error is reported, otherwise S is calculatedi=[ri]Si-1+[-cih]QiWherein r isiAnd r when calculating wiThe same;
if i is m, then S is Sm(h, S) is the generated digital signature for the message M, otherwise, S isiTransmitting to the device No. i +1 until S is completedmAnd (4) calculating.
2. The SM9 digital signature multiparty cooperative generation method with product r parameter as claimed in claim 1, wherein:
m devices calculate w ═ gB^(r1r2…rm) The method comprises the following steps:
device No. 1 calculates g1=gB^r1G is mixing1Transmitting device No. 2;
the device No. i receives gi-1Then i 2, …, m, calculate gi=gi-1^ri
If i is m, then w is gmFinish the calculation, otherwise, get the device g No. iiTransmitting to the device No. i + 1;
alternatively, the first and second electrodes may be,
device m calculates gm=gB^rmG is mixingmTransmitting the m-1 device;
the ith device receives gi+1Then, i ═ m-1, …,1, calculate gi=gi+1^ri
If i is 1, then w is g1Finish the calculation, otherwise, get the device g No. iiTo the device No. i-1.
3. The SM9 digital signature multiparty cooperative generation method with product r parameter as claimed in claim 1, wherein:
if not checking whether w is equal to g ^ h or not in the calculation process, after S is obtained through calculation, if S is found to be zero element through checking, the m devices carry out cooperative calculation again until S is not zero element.
4. The SM9 digital signature multiparty cooperative generation method with product r parameter as claimed in claim 1, wherein:
calculating to obtain Q1=[(r2r3…rm)-1]PA,Q2=[(r3…rm)-1]PA,…,Qm-1=[(rm)-1]PAOne way of (2) is as follows:
device No. m takes Qm=PACalculating Qm-1=[(rm)-1]QmIs mixing Q withm-1Sending the data to the device No. m-1;
device i receives QiThen, if i is m-1, …,1, and if i is 1, the device No. 1 will Q1Temporarily reserved, complete Q1,Q2,…,Qm-1Otherwise, the ith device calculates Qi-1=[(ri)-1]QiIs mixing Q withiTemporarily reserve, Qi-1To the device No. i-1.
5. The SM9 digital signature multiparty cooperative generation method with product r parameter as claimed in claim 1, wherein:
if get cm1 is equal to 0 andAstored as a secret by the m-th device, and b ≠ c-1Then S is obtained by calculation according to the methodmThen, the m-th device takes S ═ SmAnd examining (h, S) as XiaoAnd (h, S) aiming at the digital signature of the message M if the digital signature of the message M is valid, otherwise, the M-th device reports an error.
6. An SM9 digital signature cooperative generation system based on the SM9 digital signature multiparty cooperative generation method with product r parameter of any one of claims 1-4, characterized by:
the system comprises m devices respectively numbered from No. 1, No. 2 and No. …, wherein m is more than or equal to 2; device No. i holds [1, n-1 ]]Integer secret c within intervaliI is 1, …, m; when it is desired to use the user's SM9 to identify the private key dAWhen the message M is digitally signed, the M devices generate the digital signature aiming at the message M according to the SM9 digital signature multiparty collaborative generation method with the product r parameter;
if get cm1 is equal to 0 andAstored as a secret by the m-th device, and b ≠ c-1Then S is calculated according to the SM9 digital signature multiparty collaborative generation method with the product r parametermThen, the m-th device takes S ═ SmAnd (h, S) is checked as validity of the digital signature of the message M, if valid, (h, S) is the digital signature for the message M, otherwise, the mth device reports an error.
CN201910521921.5A 2019-06-17 2019-06-17 SM9 digital signature multi-party collaborative generation method and system with product r parameter Active CN110166256B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910521921.5A CN110166256B (en) 2019-06-17 2019-06-17 SM9 digital signature multi-party collaborative generation method and system with product r parameter

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910521921.5A CN110166256B (en) 2019-06-17 2019-06-17 SM9 digital signature multi-party collaborative generation method and system with product r parameter

Publications (2)

Publication Number Publication Date
CN110166256A CN110166256A (en) 2019-08-23
CN110166256B true CN110166256B (en) 2020-10-02

Family

ID=67625737

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910521921.5A Active CN110166256B (en) 2019-06-17 2019-06-17 SM9 digital signature multi-party collaborative generation method and system with product r parameter

Country Status (1)

Country Link
CN (1) CN110166256B (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104780050A (en) * 2015-04-23 2015-07-15 北京航空航天大学 Elliptic curve-based forward security member-revocable certificateless group signature scheme
CN107104793A (en) * 2017-04-12 2017-08-29 武汉理工大学 A kind of digital signature generation method and system
CN107438005A (en) * 2017-06-21 2017-12-05 深圳奥联信息安全技术有限公司 SM9 Combination with Digital endorsement method and device
CN107819585A (en) * 2017-11-17 2018-03-20 武汉理工大学 SM9 digital signature cooperates with generation method and system

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7209555B2 (en) * 2001-10-25 2007-04-24 Matsushita Electric Industrial Co., Ltd. Elliptic curve converting device, elliptic curve converting method, elliptic curve utilization device and elliptic curve generating device
CN107968710B (en) * 2017-11-27 2020-08-25 武汉理工大学 SM9 digital signature separation interaction generation method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104780050A (en) * 2015-04-23 2015-07-15 北京航空航天大学 Elliptic curve-based forward security member-revocable certificateless group signature scheme
CN107104793A (en) * 2017-04-12 2017-08-29 武汉理工大学 A kind of digital signature generation method and system
CN107438005A (en) * 2017-06-21 2017-12-05 深圳奥联信息安全技术有限公司 SM9 Combination with Digital endorsement method and device
CN107819585A (en) * 2017-11-17 2018-03-20 武汉理工大学 SM9 digital signature cooperates with generation method and system

Also Published As

Publication number Publication date
CN110166256A (en) 2019-08-23

Similar Documents

Publication Publication Date Title
CN107819585B (en) SM9 digital signature collaborative generation method and system
CN107968710B (en) SM9 digital signature separation interaction generation method and system
CN1326351C (en) Cyclotomic polynomial construction of discrete logarithm cryptosystem over finite fields
US8429408B2 (en) Masking the output of random number generators in key generation protocols
CN107707358B (en) EC-KCDSA digital signature generation method and system
Kaya et al. Threshold cryptography based on Asmuth–Bloom secret sharing
CN107733648B (en) Identity-based RSA digital signature generation method and system
Hu et al. Verifiable multi-secret sharing based on LFSR sequences
CN110213057B (en) SM9 digital signature collaborative generation method and system with product r parameter
CN110545279A (en) block chain transaction method, device and system with privacy and supervision functions
US20120221858A1 (en) Accelerated Key Agreement With Assisted Computations
CN109951292B (en) Simplified SM9 digital signature separation interaction generation method and system
CN109962783B (en) SM9 digital signature collaborative generation method and system based on progressive calculation
CN110166235B (en) SM9 digital signature collaborative generation method and system for enhancing security
CN111355582A (en) Two-party combined signature and decryption method and system based on SM2 algorithm
CN110519051B (en) SM9 signature cooperative generation method and system of r parameter and secret double product
CN110380855B (en) SM9 digital signature generation method and system supporting multi-party cooperative enhanced security
CN110299998B (en) SM9 digital signature collaborative generation method and system by means of intermediate parameters
CN110266486B (en) SM9 digital signature simple generation method and system based on product secret sharing
CN110798313B (en) Secret dynamic sharing-based collaborative generation method and system for number containing secret
EP2395698B1 (en) Implicit certificate generation in the case of weak pseudo-random number generators
CN110401524B (en) Method and system for collaborative generation of secret-containing numbers by means of homomorphic encryption
CN110166256B (en) SM9 digital signature multi-party collaborative generation method and system with product r parameter
EP2493112A1 (en) Accelerated key agreement with assisted computations
CN110557260A (en) SM9 digital signature generation method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant